Password managers

A secure way to manage login details for your accounts

The Student Information Processing Board is restarting the “Ask SIPB” column. This is your chance to ask questions regarding computing at MIT or in general. We’ll publish semi-regularly, depending on the frequency of questions and overall interest. You can submit your questions using this google form: https://goo.gl/forms/jd7jYiuPC57NiWbf1, or by sending an email to sipb@mit.edu. We also encourage you to stop by the SIPB office (W20-557).

This issue will be a quick introduction to password managers.

What is a password manager?

If you try to create an online account these days, you’ll notice different prompts on how t o craft a strong, unique password for that account. This matters, because a weak password makes it easy for the account to be hacked, thus jeopardizing your information, credentials and privileges. On the other hand, a strong password is hard to remember, especially if you have to come up with different passwords for different accounts. Reusing passwords is not advised, as a leaked password from one account can be used to compromise your other accounts.

A password manager solves the problem of managing different passwords by storing your login information for all your accounts, and allowing you to login automatically. All you need to remember is a strong, unique master password for the manager itself. If you need to log in to an account, you type your master password into the password manager, and it will automatically fill the information required to log in. Password managers can also generate secure passwords when you create new accounts, and they offer password-changing tools for existing accounts.

How to get started

The first step is to choose a secure master password. IS&T provides a guide on how to choose a strong password here: http://kb.mit.edu/confluence/x/3wNt. It’s best to not write down your password but instead use tricks to make it easier to remember or recall, unless you are positive you can store the piece of paper in a secure location where others wouldn’t bother to look.

After installing a password manager, you can import or export your passwords from browsers. You can either add them as you browse or transfer them manually. However, you may want to change the existing passwords for your accounts to more secure ones. As mentioned before, password managers have tools for changing passwords, and they can also identify weak or duplicate passwords for you.

Types of password managers

One type of password manager is locally installed software, such as desktop or phone applications. These password managers can be used offline.

There are also web-based password managers, which are more portable. Major browsers, such as Chrome, Firefox, Internet Explorer, offer integrated web-based password managers. However, some of the browser-based password managers don’t store your passwords in an encrypted form, or don’t offer the option of generating secure passwords for you.

To mitigate this, you can use dedicated web-based password managers that encrypt your data. Many of them are also cloud-based, and store your data in an encrypted form in the cloud. Cloud-based password managers also allow you to access your information from different computers. An example of a cloud-based password manager is LastPass, which is free for MIT students. LastPass also includes mobile and desktop applications, two-factor authentication, and works on all operating systems. You can find more information about LastPass here: http://kb.mit.edu/confluence/x/d1sYCQ.

Another type of password manager is token-based. The user is authenticated using a local hardware device (token), such as secure USB flash devices or smart cards. The data stored in the token is usually encrypted.

What are the pros and cons of using a password manager?

Password managers allow you to generate secure passwords for your accounts. They also do away with the burden of remembering different passwords. Another advantage is that password managers prevent password reuse. Because people go for passwords they can memorize, they often use the same password for several sites. If one password gets compromised, attackers can use the credentials to log into any site that password was used.

Some password managers allow you to share credentials between multiple users of the same type of password manager, which is useful for shared accounts. They can also help protect against phishing. For example, if you are trying to access an account, and the password manager doesn’t automatically fill in the information, you may be on a phishing website. Similarly, password managers can also compare the website’s url to that of a stored one, and will not fill in information when mismatched.

One downside of using a password manager is that forgetting your master password cuts your access to all your stored data. If you want to access your accounts, you would have to reset each password individually. Fortunately, you don’t have to go through all that trouble, as password managers provide the ability to recover or reset your master password. Another downside is that if the master password is hacked, the attacker gains access to all your passwords. Which is why selecting a strong master password is important!

How secure is a password manager?

Any password stored in an unencrypted manner makes your data vulnerable. However, many password managers (such as LastPass) encrypt your data with the master password as a key. Even then, a weak master password or storing the password in a compromised location (local or cloud) will leave you vulnerable. Entering the master password via any physical keyboard also creates opportunities for attacks such as keylogging. Virtual keyboards leave you open to screenshot attacks. A lot of password managers solve these issues by using multi-factor authentication. Nonetheless, the algorithm a password manager uses to generate a password can still compromise your data if the passwords generated aren’t secure enough.

Let’s assume you are using a very good password manager and have a strong master password. If your manager is web-based, your data can still be attacked by hackers that exploit classic web vulnerabilities to steal passwords. You can also get your master password leaked by entering it on phishing websites or frames. Sharing credentials can also cause problems when authenticated users shouldn’t have the same permissions as the main user.